Abstract - lic John Wilander
To build more secure software, accurate and consistent security
requirements must be specified. We have investigated current practice
doing a field study of eleven requirement specifications on IT systems.
The overall conclusion is that security requirements are poorly
specified due to three things: inconsistency in the selection of
requirements, inconsistency in level of detail, and almost no
requirements on standard security solutions.
To build more secure software we specifically need
requirements on code. A way to achieve implementation assurance is to
use effective methods and tools that solve or warn for known
vulnerability types in code. We have investigated the effectiveness of
four publicly available tools for run-time prevention of buffer
attacks. Our comparison shows that the best tool is effective against
only 50 % of the attacks and there are six attack forms which none of
the tools can handle.
We have also investigated the effectiveness of five
available compile-time intrusion prevention tools. The test results
high rates of false positives for the tools building on lexical
and low rates of true positives for the tools building on syntactical
and semantical analysis.
As a first step toward a more effective and generic
propose dependence graphs decorated with type and range information as
way of modeling and pattern matching security properties of code. These
models can be used to characterize both good and bad programming
practice. They can also be used to visually explain code properties to